PHI is not the twenty-first letter of the Greek alphabet, nor is it a ratio defined by geometric construction. In this context, PHI stands for “Protected Health Information”, and includes any health information, in any form, that can be used to identify an individual, in some way. It is important to understand that, even though information such as names, telephone numbers, and birthdates are not unique identifiers, they are said to be “quasi-identifiers”, which, when combined, become personally identifying information. It should also be noted that health information relating to individuals who have been deceased for more than 50 years is not classified as PHI.
According to The HIPAA privacy rule, there are 18 identifiers that can be used to identify, locate or contact an individual, which include:
- Name
- Address
- Dates that relate to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax numbers
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image (not limited to images of the face)
- Any other characteristic that could uniquely identify the individual
How to Monitor PHI
Before you can effectively monitor protected health information, you need to know exactly what data you have, where it is located, who has (and should have) access to it, and what they are doing with it. It is a HIPAA requirement that covered entities maintain an audit trail of all changes made to PHI, although there are no specific requirements relating to how detailed the audit logs should be. Secondly, you must protect your PHI from unauthorized access, which requires implementing robust access controls, in accordance with The HIPAA Minimum Necessary Standard. You must also monitor those controls to protect against privilege escalation.
Data Discovery and Classification
As mentioned, the first step towards protecting your PHI is to ensure that you know exactly what data you have, and where it is located. In modern IT environments, which are complex and distributed, this is not an easy task, especially if your plan is to locate your PHI manually. The best option would be to use a data discovery and classification tool, which will automatically scan your repositories for any of the 18 identifiers listed above. Once found, the PHI will be classified accordingly, which will make it a lot easier to assign the appropriate access controls. Once you have classified your data it is good practice to remove (or at least archive) any data that is no longer relevant.
The HIPAA’s Minimum Necessary Standard
The HIPAA Minimum Necessary Standard was introduced to ensure that covered entities make “reasonable efforts” to ensure that they only grant access to PHI when it is absolutely necessary. The first step to complying with this standard is to design a set of policies that stipulate how, why, and when access to PHI is granted/revoked. These policies should also include information about the access control methods used. These days, many organizations choose Role-Based Access Control (RBAC) as their preferred method of access control due to its flexible and intuitive nature. With RBAC, access rights are assigned to roles (or groups) as opposed to individual users.
Monitoring User Permissions
In addition to setting up access controls, you should periodically review and continuously monitor changes to those permissions in order to identify and respond to unauthorized access to your PHI. While it is theoretically possible to monitor your event logs manually, this would be a cumbersome and error-prone task. Instead, you should adopt a dedicated real-time auditing solution that will keep track of all permission changes in Active Directory, Exchange Server, SharePoint, SQL Server, File Server, as well as most popular cloud platforms. If you use RBAC for controlling access and you are using Active Directory, then you will also need to monitor Group Memberships, as an unexpected change to group permissions could have serious consequences.
Monitoring Changes to PHI
As mentioned already, HIPAA-covered entities must maintain an audit trail of all changes made to PHI, which requires auditing changes in real-time. A real-time auditing solution will keep track of all changes to your PHI, and provide you with a detailed audit log including information about who, what, where, and when the changes were made. These days, most real-time auditing solutions use machine learning techniques to identify anomalous behavior. When a suspicious event is detected, it will send an alert to the administrator’s email account or mobile device, thus allowing them to launch an investigation into the incident. Some solutions can also detect and respond to events that match a pre-defined threshold condition. For example, if X number of files are copied within a given time frame, a custom script can be executed which can disable a user account, stop a specific process, change the firewall settings or simply shut down the affected server. Threshold alerting can also be used to identify failed logon attempts and to prevent the spread of ransomware.
Monitoring Access to Devices that Store PHI
In addition to monitoring direct access to your PHI, you should also keep track of which users are accessing specific devices that store PHI. You should keep a record of all logon/logoff events in order to make it easier to identify the cause of an incident. It would also be a good idea to keep track of any changes to each device’s network access policy as this will give you information about whether the device has access to the public internet or not.
Conclusion
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your PHI and help meet HIPAA compliance, schedule a demo with one of our engineers.